The present invention relates generally to digital copy protection, digital right management, and conditional access, and more particularly but not exclusively to managing revocation of an entitlement or right to access a file within networks that include non-addressable client devices.
Recent advances in the telecommunications and electronics industry, and, in particular, improvements in digital compression techniques, networking, and hard drive capacities have led to growth in new digital services to a user's home. For example, such advances have provided hundreds of cable television channels to users by compressing digital data and digital video, transmitting the compressed digital signals over conventional coaxial cable television channels, and then decompressing the signals in the user's receiver. One application for these technologies that has received considerable attention recently includes video-on-demand (VOD) systems where a user may communicate with a service operator to request media content and the requested content is routed to the user's home for enjoyment. The service operator typically obtains the content from an upstream content provider, such as a content owner, distributor, or the like.
To protect content from unauthorized use, service operators, content providers, owners, and so forth, may employ a service known as conditional access or digital rights management. Conditional access or digital rights management enables a provider to restrict access of selected content to selected users. This may be achieved, for example by encrypting the content.
One such encryption approach employs a technique that provides a message known as an Entitlement Control Message (ECM). The ECM is typically a packet which includes information to determine a control word (CW) for use in decrypting the content. In this approach, streaming content may be encrypted using the CW. The CW may be encrypted with a service key via the ECM message. The encrypted content, including the ECM may then be provided to a user.
The service key may also be encrypted using an encryption key that may be specific to a user, and sent to the user within a message frame, packet, or the like. For example, the service key may be sent within an Entitlement Management Message (EMM). The EMM may also include additional information such as subscription information, or the like, associated with a user. For example, the EMM may include information that indicates whether the user has a right to access the decrypted content, possible constraints upon the access, or whether such access right is revoked.
However, in many digital network environments today, network address translation (NAT) devices are being employed. Typically, the use of such NAT devices tends to obscure the complexity of one network from another network. By employing a NAT device, the hidden components protected by the NAT device need not reveal their network addresses to a global address space. Therefore, it may be difficult to communicate with the hidden components, unless that component initiates a connection with a device outside of the protection of the NAT device. Such configuration, however, may provide an obstacle to the traditional operation of conditional access services, as the service may be unable to communicate with the hidden component to provide entitlements, rights, or even to revoke such entitlements or rights. Therefore, it is with respect to these considerations and others that the present invention has been made.